VULNERABILITY DISCLOSURE POLICY

At Oxylabs, we are committed to ensuring the security of our infrastructure and our customers' data. Our security team values and acknowledges the growing role of security researchers in furthering these goals. Note that any submission of potential vulnerabilities is voluntary and subject to terms and conditions delineated in this Policy. By submitting a finding, a researcher acknowledges reading and agreeing to this Policy.
This policy is intended to give guidelines for conducting vulnerability research and convey our preferences in submitting discovered vulnerabilities to us.

In-Scope*:
oxylabs.io, including the following subdomains:

We value those who take time and effort to report security vulnerabilities according to this policy. However, we do not consider monetary rewards for vulnerability disclosure regarding the following subdomains:

*.cn versions of the above mentioned domains and subdomains are also considered in-scope.

Any service not expressly listed above, such as any connected and internal services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing be conducted only on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. 

Out-of-Scope Vulnerabilities:

  • Network-level Denial of Service attacks;

  • Application Denial of Service by locking user accounts;

  • Descriptive error messages or headers (e.g., Stack Traces, banner grabbing);

  • Disclosure of known public files or directories (e.g., robots.txt);

  • Outdated software/library versions;

  • OPTIONS/TRACE HTTP method enabled;

  • CSRF on logout;

  • CSRF on forms that are available to anonymous users;

  • Cookies that lack HTTP Only or Secure settings for non-sensitive data;

  • Self-XSS and issues exploitable only through Self-XSS;

  • Attacks requiring physical access to a user’s device;

  • Username enumeration based on login or forgot password pages;

  • Enforcement policies for brute force, rate limiting, or account lockout;

  • SSL/TLS best practices;

  • SSL attacks, such as BEAST, BREACH, or Renegotiation attack;

  • Clickjacking without additional details demonstrating a specific exploit;

  • Mail configuration issues including SPF, DKIM, DMARC settings;

  • Use of a known-vulnerable library without a description of an exploit specific to our implementation;

  • Password and account recovery policies;

  • Presence of autocomplete functionality in form fields;

  • Lack of email address verification during account registration or account invitation;

  • Lack of email address verification password restore;

  • Session control during email/password changes.

Authorization/“Safe harbour”

Any good-faith effort to comply with this policy and ‘do not harm’ as a guiding principle during security research will be considered authorized. We will work to understand the issue submitted to us.

When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:

  • Authorized in view of any applicable anti-hacking laws.

  • Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.

  • Exempt from our Acceptable Usage Policy restrictions that would interfere with responsible security research.

  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If a third party initiates legal action against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Guidelines AKA The Process

Under this policy, “research” means activities in which you:

  • Notify us as soon as possible after discovering a real or potential security issue.

  • Only test vulnerabilities using your own accounts or accounts that you have explicit permission to test with.

  • Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:

  • Performing actions that may negatively affect Oxylabs or its users (e.g., Spam, Brute Force, Denial of Service…).

  • Automated vulnerability scanners are strictly prohibited - we use them ourselves, so there is no need to send duplicates.

  • Automated testing is only permitted within the context of verification of an exploit and only at a reasonable amount and rate of around six requests per second or less.

  • Specialized custom scripts and fuzzing tools are still permitted, but please keep your traffic to six requests per second or less when using them.

  • Accessing, or attempting to access data or information that does not belong to you.

  • Destroying or corrupting, or attempting to destroy or corrupt data or information that does not belong to you.

  • Retaining any personally identifiable information discovered in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.

  • Any exploitation actions that go beyond what is required for the initial “Proof of Vulnerability.” This means your actions to obtain and validate the Proof of Vulnerability must stop immediately after initial access to the data or a system.

  • Conducting any kind of physical or electronic attack on Oxylabs personnel or property.

  • Social engineering any Oxylabs service desk, employee or contractor.

  • Require financial compensation in order to disclose any vulnerabilities outside of a declared policy (such as holding an organization to ransom).

Reporting a vulnerability

We accept vulnerability reports via e-mail security@oxylabs.io. Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. Reports may be submitted anonymously.

By submitting a vulnerability, you acknowledge that you have no expectation of payment and that any compensation or future reward related to your submission is solely at the discretion of Oxylabs.

You must not disclose the reported vulnerability to others until we’ve had 60 days to respond and triage the vulnerability. Additional days may be needed for complete remediation.

Your side:

In order to help us triage and prioritize submissions, your report should have:

  • Full description of the vulnerability, including the exploitability and impact.

  • Affected URL(s).

  • IPs that were used while testing.

  • Document all steps required to reproduce the vulnerability.

  • PoC in video/screenshots.

  • Files attempted to upload.

Failure to include any of the above items may delay or jeopardize the bounty payment.

Our side:

When you choose to share your contact information with us, we commit to coordinating with you as openly and quickly as possible.

  • If you share contact information, we will acknowledge receipt of your report within 3-4 business days.

  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.

  • We will maintain an open dialogue to discuss issues.

  • Any rewards that are provided come at our discretion, but are influenced by criticality, exploitability and risk of the finding.

Questions

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, or whether a system is in scope or not [or should be], or questions in general regarding this policy, please contact us at security@oxylabs.io before going any further. We also invite you to contact us with suggestions for improving this policy.